#39 ✓resolved

valid_password? checkes for match with the currently changed state of the password

Reported by LacKac | February 12th, 2009 @ 10:11 AM

If valid_password? is called on an unsaved object which has an updated password field, then it validates the attempted password with the new unsaved password which in my opinion is the wrong behaviour. It should still validate with the original password.

E.g. this could be used to check the old password when the user wants to change her password. Three fields would be submitted: old_password, password and password_confirmation, which would all be set on the user object by the update_attributes method. Then somewhere in the validation process a method would check if old_password is valid. By that time password and password_confirmation are set and crypted_password and password_salt are also set accordingly. This causes a problem when valid_password? is called since it will encrypt with the new password_salt and check against the new crypted_password value.

A suggested fix for this is commited to my fork at github: http://github.com/lackac/authlog... (a test is provided as well)

Comments and changes to this ticket

  • Ben Johnson

    Ben Johnson February 12th, 2009 @ 01:25 PM

    • State changed from “new” to “open”

    I agree with you, but the problem is that not everyone has dirty attributes. They might have an older version of AR that doesn't have it. I guess in that instance I could fall back to using the current password.

  • Ben Johnson

    Ben Johnson February 13th, 2009 @ 04:13 PM

    Alright, so I took a stab at implementing this and it causes problems with new records. That being said, what is wrong with checking the password before your change it? I would imagine that would make the most sense anyways, instead of the other way aropund. What do you think?

  • LacKac

    LacKac February 14th, 2009 @ 12:21 PM

    What problems are we talking about? I'd argue with checking first making the most sense. Changing the password is an update on the account object really, which needs an extra validation. I would put this into the model this way not needing anything extra in the controller.

    I guess the compatibility problem could be solved by saving the crypted_password and password_salt fields to an instance variable on first modification of these values and using these if they exist when validating the password. For new records none of these is necessary, since we surely don't have an old password to validate.

    I'll try to do this modifications later tonight and submit a patch if it works out.

  • Ben Johnson

    Ben Johnson February 17th, 2009 @ 03:18 AM

    Sounds good, it should be an easy change, but I was having issues with my tests. I'll see if I can work on it more as well, but help would be appreciated. Thanks!

  • LacKac

    LacKac March 16th, 2009 @ 06:08 AM

    I tried to follow up and make it compatible with Rails 2.0 and below (pre Dirty feature), when I noticed that you use the dirty featureset too in validations to check if the email of login field was changed.

    So I guess there's nothing wrong using it for old password validation as well.

  • Ben Johnson

    Ben Johnson March 23rd, 2009 @ 03:19 AM

    Sorry for the delay. I'm kind of on the fence with this, but I am leaning towards your side. How about this, if you can update your fork, make the changes, and have the tests pass then I'll include. I also agree that the "dirty" feature can be assumed installed, since I am using it throughout Authlogic.

  • Ben Johnson

    Ben Johnson April 3rd, 2009 @ 01:21 AM

    • State changed from “open” to “resolved”

    Please let me know if this is still an issue.

  • Aaron

    Aaron April 20th, 2009 @ 07:22 PM

    I'd like to see this change implemented as well. I just ran into the same error in my application:

    def validate_on_update unless self.old_password.nil?

    self.errors.add(:old_password, "Wrong password") unless valid_password?(old_password)

    end end

    This checks against the new password when user.password and user.password_confirmation are sent instead of checking against the old one

  • Ben Johnson

    Ben Johnson April 22nd, 2009 @ 06:18 PM

    I decided to add better support for this. See this commit: http://github.com/binarylogic/au...

  • Michael768

    Michael768 January 28th, 2019 @ 01:01 AM

    There's a Hash::check() function which allows you to check whether the old password entered by user is correct or not.


    if (Hash::check("param1", "param2")) {
    //add logic here }

    param1 - user password that has been entered on the form
    param2 - old password hash stored in database
    it will return true if old password has been entered correctly and you can add your logic accordingly

    for new_password and new_confirm_password to be same, you can add your validation in form request like tutuapp

    'new_password' => 'required', 'new_confirm_password' => 'required|same:new_password'

  • MariaMSmith

    MariaMSmith October 4th, 2019 @ 02:08 AM

    I appreciate your suggestion about the password query and I hope it will resolve many security issues of users. If we read the easyshark into this, I hope it makes more useful for us and you will love it once you read this.

  • Buy Instagram Folllowers UK

    Buy Instagram Folllowers UK October 10th, 2019 @ 05:48 AM

    Get new sites to promote your business fast!
    Just subscribe my shannel and read below instructions carefully!

  • followers italy

    followers italy November 12th, 2019 @ 11:13 AM

    The task is to check the entered password is matched or not. ... Then check if both variable value is equal then password match otherwise password does not by http://buyfollowersitaly.com/

  • buyfollowers

    buyfollowers January 23rd, 2020 @ 04:48 AM

    Open up routes/web.php and change the contents to match below. ... This will keep our tests from affecting the state of our database; the database ... in use and a valid password matching the password confirmation ... We assert the response is successful and check for the presence of a validation message. by http://followersuk.co.uk/

  • followers uk

    followers uk June 3rd, 2020 @ 03:11 AM

    There's a Hash::check() function which allows you to check whether the old password ... The field under validation must match the authenticated user's password. ... And 'required|confirmed' you change to 'required|same:password' to .. by http://buyactivefollowersuk.co.uk//

  • followers uk

    followers uk June 3rd, 2020 @ 03:11 AM

    Type the correct user ID and password, and try again” error message. ... entering the correct username and password) if your account is in a “locked” state. ... The referenced account is currently locked out and may not be logged on to ... Check the Wifi network settings on all of your devices (iPhone, iPad, ... by https://ertugrulghaziurduinfo.blogspot.com/

  • followers uk

    followers uk June 3rd, 2020 @ 03:12 AM

    validate_password checks the cleartext password in the following statement. ... (HY000): Your password does not satisfy the current policy requirements ... The default is MEDIUM ; to change this, modify the value of validate_password_policy . ... the condition that password substrings of length 4 or longer must not match ...
    by https://followersuk.uk/

  • followers uk

    followers uk June 3rd, 2020 @ 03:12 AM

    ... you to configure password policy, and status variables for component monitoring. ... validate_password checks the cleartext password in the following statement. ... is MEDIUM ; to change this, modify the value of validate_password.policy . ... match the user name part of the effective user account for the current session, ... by https://epicfollowers.ca/

  • followers uk

    followers uk June 3rd, 2020 @ 03:12 AM

    didnot change the theme, my current theme is EGURU theme ... Most likely the password did not match (error ID '3'). ... "Turning this on will make Moodle check user passwords against a valid password policy. ... Also Some users changed their password and when they relogin it gives them wrong password. by https://buyfollowerscanada.com/

  • urdu poetry

    urdu poetry June 17th, 2021 @ 02:26 PM

    Binary Logic. Provides the binary S3 class. The instance of binary is used to convert a decimal number (Base10) to a binary ... by world777

  • urdu poetry

    urdu poetry June 17th, 2021 @ 02:27 PM

    Binary Logic GNU R Package. Contribute to d4ndo/binaryLogic development by creating an account on GitHub. byv urdu poetry

  • buyinstagramfoloowersaustralia

    buyinstagramfoloowersaustralia September 14th, 2021 @ 02:33 AM

    Generally, a user has to choose a username or user ID and provide a valid password to begin using a system. User authentication authorizes human-to-machine ...

  • buyinstagramfoloowersaustralia

    buyinstagramfoloowersaustralia September 14th, 2021 @ 02:33 AM

    If a valid password answer is supplied in the passwordAnswer parameter, ... the provider will check to see which updatable properties have changed and will ...

  • buy instagram
  • 123VEGA

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Object based authentication solution that handles all of the non sense for you. It's as easy as ActiveRecord is with a database.

People watching this ticket